FIND-20260328-004 · 2026-03-28 · Innovation Veille

RUSTSEC-2026-0071 — hpke-rs CRITICAL nonce reuse vulnerability

cve LOW
RUSTSEC-2026-0071 is a CRITICAL severity advisory for the hpke-rs crate: nonce reuse in HPKE context breaks the confidentiality guarantees of Hybrid Public Key Encryption. Related advisories RUSTSEC-2026-0070 (panic on export-only context) and RUSTSEC-2026-0075 (all-zero key generation on catastrophic RNG failure in libcrux-ed25519) were filed in the same batch. The libcrux cryptographic library series has multiple HIGH advisories this week.

Source

https://rustsec.org/advisories/

ODS Impact

ODS Rust services do not currently use hpke-rs or libcrux directly in known dependencies. Low immediate risk. However, if any future ODS service adds post-quantum or hybrid encryption libraries (relevant for SecureMail), these crates should be avoided until patched. Run cargo audit in the billing-engine and securemail services to confirm hpke-rs is not a transitive dependency.

Security Review

License: Apache-2.0 | Maintenance: ACTIVE | Risk: MEDIUM | Recommendation: USE_WITH_CAUTION

Tags

rust cve cryptography hpke rustsec supply-chain
Generated by ODS Innovation Veille · 2026-03-28T07:05:16+00:00